Alarm Correlation Analysis Method, Apparatus and System

ABSTRACT

According to an alarm correlation analysis method, apparatus, and system, alarm analysis rules are grouped according to a certain policy; each alarm analysis rule group is correlated with one analysis engine, and the analysis engine performs, according to an alarm analysis rule in the alarm analysis rule group corresponding to the analysis engine, correlation analysis for an alarm that has a correlation with the alarm analysis rule group, so that multiple analysis engines implement concurrent analysis on a large quantity of alarms, thereby fully utilizing a multi-core resource, and improving efficiency of alarm correlation analysis.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of International Application No.PCT/CN2014/070402, filed on Jan. 9, 2014, which claims priority toChinese Patent Application No. 201310270246.6, filed on Jun. 29, 2013,both of which are hereby incorporated by reference in their entireties.

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT

Not applicable.

REFERENCE TO A MICROFICHE APPENDIX

Not applicable.

TECHNICAL FIELD

The present invention relates to the field of computer technologies, andin particular, to an alarm correlation analysis method, apparatus andsystem.

BACKGROUND

As communications technologies rapidly develop, a scale of acommunications network continuously enlarges and a structure of thecommunications network becomes more complex. The communications networkis formed by interconnection of a large quantity of devices and links.When a certain device or link is faulty, an alarm is generated. Inaddition, because the device or the link may be associated with multipledevices or links, when the device or the link is faulty, a device or alink that is associated with the device or link may become faulty andgenerate an alarm, where the alarm generated by the faulty device orlink is a cause alarm, and the alarm generated by the device or linkthat is associated with the device or the link is a correlative alarm.When alarms are generated in the communications network, correlationanalysis on the generated alarms is required to analyze the cause alarmand the correlative alarm from the generated alarms, so that operationand maintenance personnel process the cause alarm, thereby ensuringnormal running of the communications network. Automatically identifyingthe cause alarm by using a function of correlation analysis so that theoperation and maintenance personnel process the cause alarm has becomean important means for quick troubleshooting, which greatly improves thetroubleshooting efficiency of the operation and maintenance personnel.At present, the function of correlation analysis still adoptssingle-engine analysis, and an existing processing mechanism has thefollowing problems: an efficiency bottleneck exists, and a single enginehas an efficiency upper limit, failing to meet an increasingly highrequirement; and multi-core resources cannot be fully utilized to exertan advantage of parallel processing.

SUMMARY

Embodiments of the present invention provide an alarm correlationanalysis method, apparatus and system, which are used to improve theefficiency of alarm correlation analysis, to some extent.

According to a first aspect, an embodiment of the present inventionprovides an alarm correlation analysis method, where the methodincludes: receiving an alarm reported by a network element device, wherethe alarm includes an alarm identifier that can uniquely identify thealarm; and if the alarm identifier of the received alarm is the same asan alarm identifier of any alarm in any alarm analysis rule that isincluded in an alarm analysis rule group corresponding to any one ofanalysis engines, performing, by an analysis engine corresponding to thealarm analysis rule group that includes an alarm indicated by the samealarm identifier, correlation analysis for the received alarm accordingto an alarm analysis rule in the alarm analysis rule group correspondingto the analysis engine, where a same alarm analysis rule group includescorrelated alarm analysis rules, one alarm analysis rule groupcorresponds to one analysis engine, the alarm analysis rule is used toindicate an interrelationship between different alarms, and multiplecorrelated alarm analysis rules all include at least one alarm with asame alarm identifier.

With reference to the first aspect, in a first implementation manner,the received alarm is transferred to the analysis engine correspondingto the alarm analysis rule group that includes the alarm indicated bythe same alarm identifier, and the analysis engine performs thecorrelation analysis for the transferred alarm according to the alarmanalysis rule in the alarm analysis rule group corresponding to theanalysis engine.

With reference to the first aspect, in a second implementation manner,the received alarm is correlated with the analysis engine correspondingto the alarm analysis rule group that includes the alarm indicated bythe same alarm identifier, and the analysis engine obtains the alarmaccording to the correlation, and performs the correlation analysis forthe obtained alarm according to the alarm analysis rule in the alarmanalysis rule group corresponding to the analysis engine.

With reference to the first aspect, the first implementation manner ofthe first aspect or the second implementation manner of the firstaspect, in a third implementation manner, the interrelationship betweenthe different alarms includes a root and correlative relationshipbetween the different alarms; and the correlated alarm analysis rulesinclude a first alarm analysis rule and a second alarm analysis rule,and alarm identifiers are the same between a root alarm in the firstalarm analysis rule and a root alarm in the second alarm analysis rule,or alarm identifiers are the same between a correlative alarm in thefirst alarm analysis rule and a correlative alarm in the second alarmanalysis rule, or alarm identifiers are the same between a correlativealarm in the first alarm analysis rule and a root alarm in the secondalarm analysis.

With reference to the first aspect, the first implementation manner ofthe first aspect, the second implementation manner of the first aspect,or the third implementation manner of the first aspect, in a fourthimplementation manner, the interrelationship between the differentalarms includes a brother relationship between the different alarms,where the brother relationship indicates that the different alarms havea same root alarm; the correlated alarm analysis rules include a thirdalarm analysis rule and a fourth alarm analysis rule, and alarmidentifiers are the same between one alarm in the third alarm analysisrule and one alarm in the fourth alarm analysis rule.

With reference to the first aspect, the first implementation manner ofthe first aspect, the second implementation manner of the first aspect,the third implementation manner of the first aspect, or the fourthimplementation manner of the first aspect, in a fifth implementationmanner, the method further includes grouping the correlated alarmanalysis rules to a same alarm analysis rule group.

With reference to the fifth implementation manner of the first aspect,in a sixth implementation manner, the method further includes: receivinga user-defined correspondence between the correlated alarm analysisrules and the analysis engine; then grouping, according to the receivedcorrespondence between the correlated alarm analysis rules and theanalysis engine, the correlated alarm analysis rules to the alarmanalysis rule group corresponding to the analysis engine.

According to a second aspect, an embodiment of the present inventionprovides an alarm correlation analysis apparatus, where the apparatusincludes: an alarm receiving module configured to receive an alarmreported by a network element device, where the alarm includes an alarmidentifier that can uniquely identify the alarm; and an alarm processingmodule, including two or more than two analysis engines, where the alarmprocessing module is configured to, if the alarm identifier of thereceived alarm is the same as an alarm identifier of any alarm in anyalarm analysis rule that is included in an alarm analysis rule groupcorresponding to any one of analysis engines, perform, by using ananalysis engine corresponding to the alarm analysis rule group thatincludes an alarm indicated by the same alarm identifier, correlationanalysis for the received alarm according to an alarm analysis rule inthe alarm analysis rule group corresponding to the analysis engine,where a same alarm analysis rule group includes correlated alarmanalysis rules, one alarm analysis rule group corresponds to oneanalysis engine, the alarm analysis rule is used to indicate aninterrelationship between different alarms, and multiple correlatedalarm analysis rules all include at least one alarm with a same alarmidentifier.

With reference to the second aspect, in a first implementation manner,the alarm processing module is specifically configured to: if the alarmidentifier of the received alarm is the same as the alarm identifier ofany alarm in any alarm analysis rule that is included in the alarmanalysis rule group corresponding to any one of the analysis engines,transfer the received alarm to the analysis engine corresponding to thealarm analysis rule group that includes the alarm indicated by the samealarm identifier, and perform, by using the analysis engine, thecorrelation analysis for the transferred alarm according to the alarmanalysis rule in the alarm analysis rule group corresponding to theanalysis engine.

With reference to the second aspect, in a second implementation manner,the alarm processing module is specifically configured to: if the alarmidentifier of the received alarm is the same as the alarm identifier ofany alarm in any alarm analysis rule that is included in the alarmanalysis rule group corresponding to any one of the analysis engines,correlate the received alarm with the analysis engine corresponding tothe alarm analysis rule group that includes the alarm indicated by thesame alarm identifier, and obtain, by using the analysis engine, thealarm according to the correlation and perform the correlation analysisfor the obtained alarm according to the alarm analysis rule in the alarmanalysis rule group corresponding to the analysis engine.

With reference to the second aspect, the first implementation manner ofthe second aspect or the second implementation manner of the secondaspect, in a third implementation manner, the interrelationship betweenthe different alarms includes a root and correlative relationshipbetween the different alarms, the correlated alarm analysis rulesinclude a first alarm analysis rule and a second alarm analysis rule,and alarm identifiers are the same between a root alarm in the firstalarm analysis rule and a root alarm in the second alarm analysis rule,or alarm identifiers are the same between a correlative alarm in thefirst alarm analysis rule and a correlative alarm in the second alarmanalysis rule, or alarm identifiers are the same between a correlativealarm in the first alarm analysis rule and a root alarm in the secondalarm analysis.

With reference to the second aspect, the first implementation manner ofthe second aspect, the second implementation manner of the secondaspect, or the third implementation manner of the second aspect, in afourth implementation manner, the interrelationship between thedifferent alarms includes a brother relationship between the differentalarms, where the brother relationship indicates that the differentalarms have a same root alarm; and the correlated alarm analysis rulesinclude a third alarm analysis rule and a fourth alarm analysis rule,and alarm identifiers are the same between one alarm in the third alarmanalysis rule and one alarm in the fourth alarm analysis rule.

With reference to the second aspect, the first implementation manner ofthe second aspect, the second implementation manner of the secondaspect, the third implementation manner of the second aspect, or thefourth implementation manner of the second aspect, in a fifthimplementation manner, the apparatus further includes a rule groupingmodule configured to group the correlated alarm analysis rules to a samealarm analysis rule group.

With reference to the fifth implementation manner of the second aspect,in a sixth implementation manner, the apparatus further includes: acorrelation receiving module configured to receive a user-definedcorrespondence between the correlated alarm analysis rules and theanalysis engine, where the rule grouping module is specificallyconfigured to group, according the received correspondence between thecorrelated alarm analysis rules and the analysis engine, the correlatedalarm analysis rules to the alarm analysis rule group corresponding tothe analysis engine.

According to a third aspect, the embodiments of the present inventionprovide an alarm correlation analysis method, where the method includes:receiving an alarm reported by an network element device, where thealarm includes an alarm identifier that can uniquely identify the alarm;if the alarm identifier of the received alarm is the same as an alarmidentifier of any alarm in any alarm group, performing, by using ananalysis engine corresponding to an alarm group that includes an alarmidentified by the same alarm identifier, correlation analysis accordingto an alarm analysis rule, where a same alarm group includes correlatedalarms, one alarm group corresponds to one analysis engine, and thecorrelated alarms refer to alarms generated by network element devicesthat belong to a same logical area, where the network element devicesthat belong to the same logical area have a service correlation.

With reference to the third aspect, in a first implementation manner,the received alarm is transferred to the analysis engine correspondingto the alarm group that includes the alarm indicated by the same alarmidentifier, and the analysis engine performs the correlation analysisfor the transferred alarm according to the alarm analysis rule.

With reference to the third aspect, in a second implementation manner,the received alarm is correlated with the analysis engine correspondingto the alarm group that includes the alarm indicated by the same alarmidentifier, and the analysis engine obtains the alarm according to thecorrelation, and performs the correlation analysis for the obtainedalarm according to the alarm analysis rule.

With reference to the third aspect, the first implementation manner ofthe third aspect, or the second implementation manner of the thirdaspect, in a third implementation manner, the method further includesgrouping the correlated alarms to the same alarm group.

With reference to third aspect, the first implementation manner of thethird aspect, the second implementation manner of the third aspect, orthe third implementation manner of the third aspect, in a fourthimplementation manner, the logical area is divided according to a subnetin which the network element device is located; or the logical area isdivided according to a maintenance area that is divided by maintenancepersonnel.

According to a fourth aspect, an embodiment of the present inventionprovides an alarm correlation analysis apparatus, where the apparatusincludes: an alarm receiving module configured to receive an alarmreported by a network element device, where the alarm includes an alarmidentifier that can uniquely identify the alarm; and an alarm processingmodule, including two or more than two analysis engines, where the alarmprocessing module is configured to, if the alarm identifier of thereceived alarm is the same as an alarm identifier of any alarm in anyalarm group, perform, by using an analysis engine corresponding to analarm group that includes an alarm identified by the same alarmidentifier, correlation analysis according to an alarm analysis rule,where a same alarm group includes correlated alarms, one alarm groupcorresponds to one analysis engine, and the correlated alarms refer toalarms generated by network element devices that belong to a samelogical region, where the network element devices that belong to thesame logical region have a service correlation.

With reference to the fourth aspect, in a first implementation manner,the alarm processing module is specifically configured to: if the alarmidentifier of the received alarm is the same as the alarm identifier ofany alarm in any alarm group, transfer the received alarm to theanalysis engine corresponding to the alarm group that includes the alarmindicated by the same alarm identifier, and perform, by using theanalysis engine, the correlation analysis for the transferred alarmaccording to the alarm analysis rule.

With reference to the fourth aspect, in a second implementation manner,the alarm processing module is specifically configured to: if the alarmidentifier of the received alarm is the same as the alarm identifier ofany alarm in any alarm group, correlate the received alarm with theanalysis engine corresponding to the alarm group that includes the alarmindicated by the same alarm identifier, and obtain, by using theanalysis engine, the alarm according to the correlation and perform thecorrelation analysis for the obtained alarm according to the alarmanalysis rule.

With reference to the fourth aspect, the first implementation manner ofthe fourth aspect, or the second implementation manner of the fourthaspect, in a third implementation manner, the apparatus further includesan alarm grouping module configured to group the correlated alarms tothe same alarm group.

With reference to the fourth aspect, the first implementation manner ofthe fourth aspect, the second implementation manner of the fourthaspect, or the third implementation manner of the fourth aspect, in afourth implementation manner, the logical area is divided according to asubnet in which the network element device is located; or the logicalarea is divided according to a maintenance area that is divided bymaintenance personnel.

According to a fifth aspect, an embodiment of the present inventionprovides a network management system, where the system includes: any oneof the alarm correlation analysis apparatuses provided by the firstaspect and the second aspect of the present invention, and at least onenetwork element device that has a communication connection with thealarm correlation analysis apparatus, where the network element deviceis configured to report an alarm to the alarm correlation analysisapparatus when a fault occurs.

According to the foregoing description, in the alarm correlationanalysis method, apparatus and system provided by the embodiments of thepresent invention, alarm analysis rules are grouped according to acertain policy; each alarm analysis rule group is correlated with oneanalysis engine, and the analysis engine performs, according to an alarmanalysis rule in a same alarm analysis rule group, correlation analysisfor an alarm that has a correlation with the alarm analysis rule group,so that multiple analysis engines implement concurrent analysis on alarge quantity of alarms, thereby fully utilizing a multi-core resource,and improving the efficiency of alarm correlation analysis.

BRIEF DESCRIPTION OF THE DRAWINGS

To describe the technical solutions in the embodiments of the presentinvention more clearly, the following briefly introduces accompanyingdrawings required for describing the embodiments. The accompanyingdrawings in the following description show merely some embodiments ofthe present invention, and a person of ordinary skill in the art maystill derive other drawings according to these accompanying drawingswithout creative efforts.

FIG. 1A is a schematic diagram of a flowchart of an alarm correlationanalysis method according to an embodiment of the present invention;

FIG. 1B is a schematic diagram of a flowchart of another alarmcorrelation analysis method according to an embodiment of the presentinvention;

FIG. 2A is a schematic diagram of a flowchart of a method forimplementing grouping of alarm analysis rules according to an embodimentof the present invention;

FIG. 2B is a schematic diagram of a flowchart of another method forimplementing grouping of alarm analysis rules according to an embodimentof the present invention;

FIG. 3 is a schematic diagram of a flowchart of a method for adding analarm correlation analysis rule according to an embodiment of thepresent invention;

FIG. 4 is a schematic diagram of a flowchart of still another alarmcorrelation analysis method according to an embodiment of the presentinvention;

FIG. 5A to FIG. 5B are schematic diagrams of flowcharts of other alarmcorrelation analysis methods according to an embodiment of the presentinvention;

FIG. 6A to FIG. 6C are schematic structural diagrams of an alarmcorrelation analysis apparatus according to an embodiment of the presentinvention;

FIG. 7 is a schematic diagram of an application of an alarm correlationanalysis apparatus according to an embodiment of the present invention;

FIG. 8A to FIG. 8B are schematic diagrams of flowcharts of other alarmcorrelation analysis methods according to an embodiment of the presentinvention;

FIG. 9 is a schematic diagram of an application of another alarmcorrelation analysis apparatus according to an embodiment of the presentinvention;

FIG. 10 is another schematic structural diagram of an alarm correlationanalysis apparatus according to an embodiment of the present invention;and

FIG. 11 is a schematic diagram of a logical structure of an alarmcorrelation analysis system according to an embodiment of the presentinvention.

DETAILED DESCRIPTION

The following clearly describes the technical solutions in theembodiments of the present invention with reference to the accompanyingdrawings in the embodiments of the present invention. The embodiments tobe described are merely a part rather than all of the embodiments of thepresent invention. All other embodiments obtained by a person ofordinary skill in the art based on the embodiments of the presentinvention without creative efforts shall fall within the protectionscope of the present invention.

Referring to FIG. 1A and FIG. 1B, FIG. 1A and FIG. 1B are schematicdiagrams of flowcharts of an alarm correlation analysis method accordingto an embodiment of the present invention. The method may be applied inan alarm correlation analysis apparatus with two or more than twoanalysis engines running, where the alarm correlation analysis apparatusmay specifically be deployed in an electronic device, such as a desktopcomputer, a notebook computer, a mobile phone terminal, a tabletcomputer or a server, or the alarm correlation analysis apparatus is oneof these electronic devices, or the alarm correlation analysis apparatusis an independent computer processing system that is different from theforegoing devices.

As shown in FIG. 1A, the alarm correlation analysis method provided bythe embodiment of the present invention specifically includes:

S101. Receive an alarm reported by a network element device, where thealarm includes an alarm identifier that can uniquely identify the alarm.

The alarm identifier may be used to indicate a feature of the alarm,which may be a feature description, or an identifier (ID) numberrepresenting the feature description, or the like. Different alarmidentifiers indicate different alarms.

S102. If the alarm identifier of the received alarm is the same as analarm identifier of any alarm in any alarm analysis rule that isincluded in an alarm analysis rule group corresponding to any one ofanalysis engines, the analysis engine corresponding to the alarmanalysis rule group that includes the alarm indicated by the same alarmidentifier performs correlation analysis for the received alarmaccording to an alarm analysis rule in the alarm analysis rule groupcorresponding to the analysis engine.

A same alarm analysis rule group includes correlated alarm analysisrules, one alarm analysis rule group corresponds to one analysis engine,the alarm analysis rule is used to indicate an interrelationship betweendifferent alarms, and multiple correlated alarm analysis rules allinclude at least one alarm with a same alarm identifier.

In one implementation manner, an alarm correlation analysis apparatustransfers the received alarm to the analysis engine corresponding to thealarm analysis rule group that includes the alarm indicated by the samealarm identifier, and the analysis engine performs the correlationanalysis for the transferred alarm according to the alarm analysis rulein the alarm analysis rule group corresponding to the analysis engine.

In another implementation manner, the received alarm is correlated withthe analysis engine corresponding to the alarm analysis rule group thatincludes the alarm indicated by the same alarm identifier, and theanalysis engine obtains the alarm according to the correlation, andperforms the correlation analysis for the obtained alarm according tothe alarm analysis rule in the alarm analysis rule group correspondingto the analysis engine.

In the former manner, the received alarm is pushed to the analysisengine, and in the latter manner, the received alarm is merelycorrelated with the corresponding analysis engine, and the analysisengine actively obtains the alarm and then performs the correlationanalysis for the alarm. It should be noted that when the analysis engineperforms alarm correlation analysis, multiple alarms are involved.

It can be seen that, in the alarm correlation analysis method providedby the embodiment of the present invention, alarm analysis rules aregrouped according to a certain policy, each alarm analysis rule group iscorrelated with one analysis engine, and the analysis engine performs,according to an alarm analysis rule in the alarm analysis rule groupcorresponding to the analysis engine, correlation analysis for an alarmthat has a correlation with the alarm analysis rule group, so thatmultiple analysis engines implement concurrent analysis on a largequantity of alarms, thereby fully utilizing a multi-core resource, andimproving the efficiency of alarm correlation analysis.

As shown in FIG. 1B, the alarm correlation analysis method provided bythe embodiment of the present invention may further include step S101A.Specifically, as shown in FIG. 1B:

S101A. Group correlated alarm analysis rules to a same alarm analysisrule group.

A correlation between the alarm analysis rules may be a correlationbetween two alarm analysis rules, and may also be a correlation betweenthree or more than three alarm analysis rules.

The correlated alarm analysis rules specifically include: two or morethan two alarm analysis rules to comply with a certain specifiedcorrelation, where the correlation may be defined by a user, or may beobtained by analyzing a large quantity of alarms and/or alarm analysisrules. Generally, there are multiple types of correlations of the alarmanalysis rules. Using two alarm analysis rules as an example, if the twoalarm analysis rules comply with any one of the correlations, the twoalarm analysis rules are correlated alarm analysis rules. A correlationof the alarm analysis rules may change. For example, with the increaseof the alarm analysis rules, a new correlation is obtained through ananalysis; or some alarm analysis rules disappear as alarms included inthe alarm analysis rules disappear, and a correlation corresponding tothese alarm analysis rules may also be no longer used.

Specifically, an interrelationship between different alarms may includea root and correlative relationship between the different alarms. Acorrelative relationship between two or more different alarms is definedin one alarm analysis rule, for example, alarm a is a root alarm ofalarm b, or alarm a is a root alarm of alarm b and alarm c. In thiscase, if alarm identifiers are the same between a root alarm in a firstalarm analysis rule and a root alarm in a second alarm analysis rule,the first alarm analysis rule is correlated with the second alarmanalysis rule; if alarm identifiers are the same between a correlativealarm in a first alarm analysis rule and a correlative alarm in a secondalarm analysis rule, the first alarm analysis rule is correlated withthe second alarm analysis rule; and if alarm identifiers are the samebetween a correlative alarm in a first alarm analysis rule and a rootalarm in a second alarm analysis rule, the first alarm analysis rule iscorrelated with the second alarm analysis rule.

A person skilled in the art may understand that, as long as two alarmanalysis rules comply with any one of the foregoing, the two alarmanalysis rules are correlated. If any one of two correlated alarmanalysis rules and any one of another two correlated alarm analysisrules comply with any one of the foregoing, the four alarm analysisrules are all correlated.

The interrelationship between the different alarms may further include abrother relationship between different alarms, where the brotherrelationship indicates that the different alarms have a same root alarm.Alarms a and b are defined to have a correlation in an alarm analysisrule, and the interrelationship indicates that their root alarms areboth alarm c. The alarm analysis rule does not necessarily indicatewhich is the root alarm of alarm a and alarm b, and may merely indicatethat alarm a and alarm b have a brother relationship. In this case, ifalarm identifiers are the same between one alarm in a first alarmanalysis rule and one alarm in a second alarm analysis rule, the firstalarm analysis rule is correlated with the second alarm analysis rule.For example, if the first alarm analysis rule defines that alarm a andalarm b are in a brother relationship, and the second alarm analysisrule defines that alarm b and alarm c are in a brother relationship,alarm a and alarm c are also in a brother relationship in a situation inwhich a root alarm is unique; therefore, it is considered that the twoalarm analysis rules have a correlation.

It should be noted that unless otherwise specified, the “a first”, “asecond” and the like in the embodiments of the present invention areonly for differentiation, rather than limiting a specified sequence.

In one implementation manner, the correlated alarm analysis rules may beautomatically allocated to a same analysis engine by a computer.

In another implementation manner, a correspondence between the alarmanalysis rules and an engine may be defined by a user. Therefore, themethod may further include receiving a user-defined correspondencebetween the correlated alarm analysis rules and an analysis engine. Inthis case, step S101A may be implemented as follows: grouping, accordingto the received correspondence between the correlated alarm analysisrules and the analysis engine, the correlated alarm analysis rules to analarm analysis rule group corresponding to the analysis engine.

A correspondence between an alarm analysis rule group and an analysisengine may be implemented by setting an identifier for the alarmanalysis rule group, where the identifier is only used to identify theanalysis engine corresponding to the alarm analysis rule group; or byallocating a private access area to each analysis engine, alarms in thealarm analysis rule group are all stored in a private access areacorresponding to the analysis engine corresponding to the alarms.

S101. Receive an alarm reported by a network element device, where thealarm includes an alarm identifier.

When a fault occurs, the network element device reports an alarm to analarm correlation analysis apparatus, where the alarm generally includesinformation such as an alarm identifier, an alarm source, and a contentdescription of the alarm.

It should be noted that FIG. 1B is only exemplary, and a sequence ofstep S101A and step S101 is not limited in the present invention.Grouping of the alarm analysis rules and receiving of the alarm from thenetwork element device may also be concurrently performed, or groupingof the alarm analysis rules is performed after receiving of the alarmfrom the network element device, or the two are alternately performed.

S102. If the alarm identifier of the received alarm is the same as analarm identifier of any alarm in any alarm analysis rule that isincluded in an alarm analysis rule group corresponding to any one of theanalysis engines, an analysis engine corresponding to the alarm analysisrule group that includes an alarm indicated by the same alarm identifierperforms correlation analysis for the received alarm according to analarm analysis rule in the alarm analysis rule group corresponding tothe analysis engine.

For a specific implementation manner of step S102, reference may bereferred to the above description, and details are not further describedherein.

Correlating the alarm with the analysis engine may be performed byadding a corresponding identifier for the alarm, where the identifier isonly used to identify the corresponding analysis engine. For example, ifalarm a needs to be correlated with analysis engine m, identifier m isintroduced for alarm a; and when determining that alarm a includes theidentifier m, the analysis engine m performs correlation analysis forthe alarm.

Correlating the alarm with the analysis engine may further beimplemented by setting an access area for the analysis engine. Forexample, if the analysis engine m can access a storage area but anotheranalysis engine cannot access the storage area, the alarm a may bestored in the storage area.

It should be noted that, if an alarm identifier of the alarm is the sameas alarm identifiers of alarms in alarm analysis rules in alarm analysisrule groups corresponding to multiple analysis engines, a load of theanalysis engine may be balanced according to the quantity of alarmscurrently to be processed by these several analysis engines, andperformance of the analysis engines. For example, if a first analysisengine has currently been correlated with 100 alarms, a second analysisengine has currently been correlated with 10 alarms, and meanwhile,performance of the two analysis engines is the same, the alarm may beallocated to the second analysis engine to prevent the first analysisengine from being overloaded.

A purpose of performing correlation analysis between alarms is generallyto find an interrelationship between the alarms, that is, which alarm isa root alarm of an alarm, or the alarm is a root alarm of which onealarm or alarms, or what are brother alarms of an alarm, or the like.

The analysis engine matches the obtained alarm with an alarm in an alarmanalysis rule. For example, if alarm e and alarm f that are received arethe same as alarm e and alarm f that are in a certain alarm analysisrule, and the alarm analysis rule defines that the alarm e is a rootalarm of the alarm f, it may be acquired by analysis that the alarm e isa root alarm of the alarm f.

It can be seen that, in the alarm correlation analysis method providedby the embodiment of the present invention, alarm analysis rules aregrouped according to a certain policy; each alarm analysis rule group iscorrelated with one analysis engine, and the analysis engine performs,according to an alarm analysis rule in the alarm analysis rule groupcorresponding to the analysis engine, correlation analysis for an alarmthat has a correlation with the alarm analysis rule group, so thatmultiple analysis engines implement concurrent analysis on a largequantity of alarms, thereby fully utilizing a multi-core resource, andimproving efficiency of alarm correlation analysis.

Further, grouping of the alarm analysis rules may be transparent to auser, the user only needs to focus on definition of a rule from aservice perspective, and the system can automatically complete rulegrouping and allocation to a corresponding engine. Further, the systemmay further provide a user interface for the user to define acorrespondence between a rule group and an engine, which enhancesflexibility of the system.

It should be noted that, in the embodiment of the present invention,multiple analysis engines may be multiple threads, multiple processes,or multiple entity processors. The multiple analysis engines may belocated on a same physical machine, and may also be located on differentphysical machines. Therefore, a limitation of an original single core orsingle machine for alarm correlation analysis is broken through, and aresource utilization rate and alarm analysis efficiency are improved.

The following uses a specific embodiment to introduce how to implementgrouping of alarm analysis rules.

Referring to FIG. 2A, FIG. 2A is a method for implementing grouping ofalarm analysis rules. The method includes:

S201 a. Traverse each alarm analysis rule in an alarm analysis rule set.

The alarm analysis rule set includes all alarm analysis rules that areto be allocated to an analysis engine.

S202 a. Determine whether the alarm analysis rule is correlated with anyone or multiple alarm analysis rules in an existing alarm analysis rulegroup, where the alarm analysis rules in the existing alarm analysisrule group are correlated.

S203 a. If a result of the determination is yes, add the alarm analysisrule to the existing alarm analysis rule group.

S204 a. If a result of the determination is no, add an alarm analysisrule group, and add the alarm analysis rule to the added alarm analysisrule group.

S205 a. After the traversal is complete, correlate alarm analysis rules,which are included in a same alarm analysis rule group, with a sameanalysis engine.

Referring to FIG. 2B, FIG. 2B is another method for implementinggrouping of alarm analysis rules. The method includes:

S201 b. Read all alarm analysis rules, and generate a rule cache list R.

S202 b. Read an alarm analysis rule from the R.

S203 b. Determine whether the alarm analysis rule obtained in step S202b is in S<r,g>, where the S<r,g> is used to cache a mapping between analarm analysis rule and a rule group, where r indicates an identifier ofa rule, and g indicates an identifier of a rule group to which rbelongs. If a result of the determination is yes, go to step S207 b; andif a result of the determination is no, perform step S204 b.

S204 b. Allocate a new rule group identifier to the alarm analysis rule,where the rule group identifier, for example, a group number, canuniquely determine one rule group. Then add the alarm analysis rule andthe identifier of the rule group, to which the alarm analysis rulebelongs, to the S<r,g>. In this way, the alarm analysis rule has beenallocated.

S205 b. Then search the R for all rules that have a correlation with thealarm analysis rule.

S206 b. Determine whether the searching succeeds. A basis of thesearching is the correlation of the alarm analysis rules. According todescription of the foregoing embodiment, an alarm analysis rule that iscorrelated with the alarm analysis rule only needs to comply with anyone correlation. If the searching succeeds, perform step S208 b; and ifthe searching fails, perform step S207 b.

S207 b. Delete the alarm analysis rule from the R.

S208 b. Allocate a same rule group identifier to a correlated alarmanalysis rule that is correlated with the alarm analysis rule, and addthe correlated alarm analysis rule to the S<r,g>.

S209 b. Delete the alarm analysis rule and its correlated rule from theR. In this way, the alarm analysis rule and its correlated alarmanalysis rule are allocated to a same rule group.

S210 b. Determine whether the R is empty. If it is not empty, go back tostep S202 b; and if it is empty, perform step S211 b.

S211 b. Generate S<r,g,e> according to the S<r,g> and the presetquantity of analysis engines, where the S<r,g,e> is used to cache amapping between an alarm analysis rule, a rule group, and an analysisengine, where r indicates an identifier of a rule, g indicates anidentifier of a rule group to which the r belongs, and e indicates anidentifier of an analysis engine to which the r belongs.

S212 b. Correlate the alarm analysis rule with a corresponding analysisengine according to the S<r,g,e>.

After alarm analysis rules in the cache list R are all allocated to acorresponding analysis engine, a situation in which an alarm analysisrule is added, deleted, or modified possibly exists. The followingintroduces a process of adding an alarm analysis rule according to FIG.3.

301. Obtain an added alarm analysis rule set. Certainly, the followingprocessing may also be performed immediately when an alarm rule isadded.

302. Read a rule from the added alarm analysis rule set.

303. Search S<r,g,e> to check whether there is a rule that has acorrelation with the added alarm analysis rule. If the searchingsucceeds, perform step 304; and if the searching fails, perform step305.

304. Determine whether rules that are found and in a correlation withthe added alarm analysis rule are in a same analysis engine. If thesecorrelated rules are all in the same analysis engine, perform step 306;otherwise, perform step 307.

305. No existing rule has a correlation with the added rule. Therefore,allocate a new rule group identifier to this added rule, allocate a newengine, and add a correspondence between the three to the S<r,g,e>.

306. Add the added rule to the S<r,g,e>, and correlate the rule with anengine whose correlated rule is the same as the correlated rule of therule.

307. Add a new rule group for the added rule and rules that are in acorrelation with the added rule, update the S<r,g,e> to adjust the addedrule and its correlated rules to a same engine. It should be noted thatthe “a same engine” herein may be a new engine that is different fromall engines in which its correlated rules are located, or may be any oneengine in which its correlated rules are located.

308. Determine whether the processing of the added rule is complete; ifyes, the method ends; and if no, go back to step 302.

In addition, deleting an alarm analysis rule does not involve adjustmentof a correlation; instead, an alarm analysis rule only needs to bedeleted from the mapping S<r,g,e>, and deleted from a correspondingengine. A situation of modification of an alarm analysis rule may beseen as a combination of deletion of an alarm analysis rule and addingof an alarm analysis rule, which is easily known by a person skilled inthe art according to the foregoing embodiments; therefore, details arenot further described herein.

Based on the embodiment shown in FIG. 2B, FIG. 4 shows a schematicdiagram of a flowchart of an alarm correlation analysis method accordingto an embodiment of the present invention. As shown in FIG. 4, themethod includes:

401. Obtain an alarm to be analyzed from a cache. An alarm of a networkelement device may be stored in the cache.

402. Obtain an alarm identifier of this alarm, for example, an alarm ID.

403. Compare the alarm identifier of this alarm with an identifier of analarm in an alarm analysis rule, and search for an alarm analysis rulethat this alarm can match.

404. If an identifier of an alarm in a certain alarm analysis rule isfound to be the same as the alarm identifier of this alarm, it isconsidered that the alarm analysis rule match this alarm, and performstep 405; and if no matched alarm analysis rule is found, this alarm maybe reported to an administrator for processing.

405. Correlate this alarm with a corresponding analysis engine accordingto information recorded in S<r,g,e>. The analysis engine is an analysisengine corresponding to the alarm analysis rule that matches this alarm.

406. After engine analysis is complete, add an identifier of a rootalarm or an identifier of a correlative alarm for the alarm. Certainly,in other embodiments, an analysis result may also be that which of otheralarms is in a brother relationship with the alarm.

It can be seen that, in the alarm correlation analysis method providedby the embodiment of the present invention, alarm analysis rules aregrouped according to a certain policy; each alarm analysis rule group iscorrelated with one analysis engine, and the analysis engine performs,according to an alarm analysis rule in the alarm analysis rule groupcorresponding to the analysis engine, correlation analysis for an alarmthat has a correlation with the alarm analysis rule group, so thatmultiple analysis engines implement concurrent analysis on a largequantity of alarms, thereby fully utilizing a multi-core resource, andimproving efficiency of alarm correlation analysis.

Referring to FIG. 5A, FIG. 5A is another alarm correlation analysismethod according to an embodiment of the present invention, and themethod is applied in an alarm correlation analysis apparatus with two ormore than two analysis engines. As shown in FIG. 5A, the methodincludes:

S501. Receive an alarm reported by a network element device, where thealarm includes an alarm identifier that can uniquely identify the alarm.Network element devices are distributed on multiple subnets, or aredistributed in multiple maintenance areas that are divided bymaintenance engineer.

S502. If the alarm identifier of the received alarm is the same as analarm identifier of any alarm in any alarm group, an analysis enginecorresponding to an alarm group that includes an alarm identified by thesame alarm identifier performs correlation analysis for the receivedalarm according to an alarm analysis rule.

A same alarm group includes correlated alarms, and one alarm groupcorresponds to one analysis engine. The correlated alarms refer toalarms generated by network element devices that belong to a samelogical area, where the network element devices that belong to the samelogical area have a service correlation.

In one implementation manner, the received alarm is transferred to theanalysis engine corresponding to the alarm group that includes the alarmindicated by the same alarm identifier, and the analysis engine performsthe correlation analysis for the transferred alarm according to thealarm analysis rule.

In another implementation manner, the received alarm is correlated withthe analysis engine corresponding to the alarm group that includes thealarm indicated by the same alarm identifier, and the analysis engineobtains the alarm according to the correlation, and performs thecorrelation analysis for the obtained alarm according to the alarmanalysis rule.

Referring to FIG. 5B, the method may further include S501B.

S501. Receive an alarm reported by a network element device, where thealarm includes an alarm identifier that can uniquely identify the alarm.Network element devices are distributed on multiple subnets, or aredistributed in multiple maintenance areas that are divided bymaintenance personnel.

S501B. Group correlated alarms to a same alarm group.

One alarm group corresponds to one analysis engine, and the correlatedalarms refer to alarms generated by network element devices that belongto a same logical area, where the network element devices in the logicalarea have a service correlation.

Optionally, the logical area may be divided according to a subnet inwhich the network element device is located, or may be divided accordingto the maintenance area divided by maintenance personnel, or may bedivided in another manner.

S502. If the alarm identifier of the received alarm is the same as analarm identifier of any alarm in any alarm group, an analysis enginecorresponding to an alarm group that includes an alarm identified by thesame alarm identifier performs correlation analysis for the receivedalarm according to an alarm analysis rule.

A person skilled in the art can understand that, an alarm analysis rulemay be stored in a place for various analysis engines to read; or, eachalarm analysis rule group may be separately correlated with one analysisengine after alarm analysis rules are grouped by using a method in theforegoing embodiment; or, an alarm analysis rule is correlated with ananalysis engine, where the analysis engine includes at least one alarmthat has a same alarm identifier as one alarm in the alarm analysisrule.

It should be noted that, the alarm correlation analysis method providedby the embodiment of the present invention is applied in an alarmcorrelation analysis apparatus with multiple analysis engines, where themultiple analysis engines may be totally the same, or may be different,for example, there is a difference in analysis performance or ananalysis method; and meanwhile, the multiple analysis engines may bedeployed on a same physical machine, or may be separately deployed onmultiple physical machines.

It can be seen that, in the alarm correlation analysis method providedby the embodiment of the present invention, alarms that belong to a samelogical area are correlated with a same analysis engine, so thatmultiple analysis engines implement concurrent analysis on alarms. Themultiple analysis engines may be multiple threads or multiple processes,and may even be located on different physical machines. Therefore, alimitation of an original single core or single machine for alarmcorrelation analysis is broken through, and a resource utilization rateand alarm analysis efficiency are improved.

Referring to FIG. 6A, FIG. 6A is a schematic diagram of a logicalstructure of an alarm correlation analysis apparatus 600 according to anembodiment of the present invention. As shown in FIG. 6A, the apparatusincludes: an alarm receiving module 601 configured to receive an alarmreported by a network element device, where the alarm includes an alarmidentifier that can uniquely identify the alarm; an alarm processingmodule 602, including two or more than two analysis engines 6021; wherethe alarm processing module 602 is configured to, if the alarmidentifier of the received alarm is the same as an alarm identifier ofany alarm in any alarm analysis rule that is included in an alarmanalysis rule group corresponding to any one of the analysis engines,perform, by using an analysis engine 6021 corresponding to the alarmanalysis rule group that includes an alarm indicated by the same alarmidentifier, correlation analysis for the received alarm according to analarm analysis rule in the alarm analysis rule group corresponding tothe analysis engine 6021.

A same alarm analysis rule group includes correlated alarm analysisrules, one alarm analysis rule group corresponds to one analysis engine,the alarm analysis rule is used to indicate an interrelationship betweendifferent alarms, and multiple correlated alarm analysis rules allinclude at least one alarm with a same alarm identifier.

In one implementation manner, the alarm processing module 602 isspecifically configured to: if the alarm identifier of the receivedalarm is the same as the alarm identifier of any alarm in any alarmanalysis rule that is included in the alarm analysis rule groupcorresponding to any one of the analysis engines, transfer the receivedalarm to the analysis engine 6021 corresponding to the alarm analysisrule group that includes the alarm indicated by the same alarmidentifier, and perform, by using the analysis engine 6021, thecorrelation analysis for the transferred alarm according to the alarmanalysis rule in the alarm analysis rule group corresponding to theanalysis engine 6021.

In another implementation manner, the alarm processing module 602 isspecifically configured to: if the alarm identifier of the receivedalarm is the same as the alarm identifier of any alarm in any alarmanalysis rule that is included in the alarm analysis rule groupcorresponding to any one of the analysis engines, correlate the receivedalarm with the analysis engine 6021 corresponding to the alarm analysisrule group that includes the alarm indicated by the same alarmidentifier, and obtain, by using the analysis engine 6021, the alarmaccording to the correlation and perform the correlation analysis forthe obtained alarm according to the alarm analysis rule in the alarmanalysis rule group corresponding to the analysis engine 6021.

It can be seen that the alarm correlation analysis apparatus provided bythe embodiment of the present invention groups alarm analysis rulesaccording to a certain policy; each alarm analysis rule group iscorrelated with one analysis engine, and the analysis engine performs,according to an alarm analysis rule in the alarm analysis rule groupcorresponding to the analysis engine, correlation analysis for an alarmthat has a correlation with the alarm analysis rule group, so thatmultiple analysis engines implement concurrent analysis on a largequantity of alarms, thereby fully utilizing a multi-core resource, andimproving efficiency of alarm correlation analysis.

Referring to FIG. 6B, the alarm correlation analysis apparatus 600provided by the embodiment of the present invention may further includea rule grouping module 603 configured to group correlated alarm analysisrules to a same alarm analysis rule group.

One alarm analysis rule group corresponds to one analysis engine, andthe alarm analysis rule defines an interrelationship between differentalarms, where the different alarms means that alarm identifiers of thealarms are different, the correlation means that different alarmanalysis rules include at least one alarm with a same alarm identifier,and the alarm identifier is used to indicate a feature of the alarm.

The interrelationship between the different alarms includes a root andcorrelative relationship between the different alarms.

Correlation between alarm analysis rules includes: if alarm identifiersare the same between a root alarm in a first alarm analysis rule and aroot alarm in a second alarm analysis rule, the first alarm analysisrule is correlated with the second alarm analysis rule; if alarmidentifiers are the same between a correlative alarm in a first alarmanalysis rule and a correlative alarm in a second alarm analysis rule,the first alarm analysis rule is correlated with the second alarmanalysis rule; and if alarm identifiers are the same between acorrelative alarm in a first alarm analysis rule and a root alarm in asecond alarm analysis rule, the first alarm analysis rule is correlatedwith the second alarm analysis rule.

The interrelationship between the different alarms may further include abrother relationship between the different alarms, where the brotherrelationship indicates that the different alarms have a same root alarm.

The correlation between alarm analysis rules includes: if alarmidentifiers are the same between one alarm in a first alarm analysisrule and one alarm in a second alarm analysis rule, the first alarmanalysis rule is correlated with the second alarm analysis rule.

Further, as shown in FIG. 6C, the apparatus may further include acorrelation receiving module 604 configured to receive a user-definedcorrespondence between the correlated alarm analysis rules and ananalysis engine. The rule grouping module 603 is specifically configuredto group, according to the received correspondence between thecorrelated alarm analysis rules and the analysis engine, the correlatedalarm analysis rules to an alarm analysis rule group corresponding tothe analysis engine.

It can be seen that the alarm correlation analysis apparatus provided bythe embodiment of the present invention groups alarm analysis rulesaccording to a certain policy; each alarm analysis rule group iscorrelated with one analysis engine, and the analysis engine performs,according to an alarm analysis rule in the alarm analysis rule groupcorresponding to the analysis engine, correlation analysis for an alarmthat has a correlation with the alarm analysis rule group, so thatmultiple analysis engines implement concurrent analysis on a largequantity of alarms, thereby fully utilizing a multi-core resource, andimproving efficiency of alarm correlation analysis.

Further, grouping of the alarm analysis rules may be transparent to auser, the user only needs to focus on definition of a rule from aservice perspective, and the system can automatically complete rulegrouping and allocation to a corresponding engine. Further, the systemmay further provide a user interface for the user to define acorrespondence between a rule group and an engine, which enhancesflexibility of the system.

It should be noted that, multiple analysis engines in the alarmcorrelation analysis apparatus shown in FIG. 6A to FIG. 6C may be thesame or different; and may be located on a same physical machine or belocated on different physical machines.

FIG. 7 is a schematic diagram of an application of another alarmcorrelation analysis apparatus 100 according to an embodiment of thepresent invention. A specific process is as follows:

1) Enable a correlation analysis function, and initialize each moduleand the predefined quantity of analysis engines.

2) A rule grouping module 101 loads and parses alarm analysis rules,then groups the alarm analysis rules according to an alarm rulecorrelation, and correlates the group with a corresponding analysisengine.

Loading and preliminary parsing of the alarm analysis rules may also beprocessed by another module that is independent of the rule groupingmodule.

3) An alarm receiving module 102 is configured to receive various alarmdata reported by a network element device, where the alarm data includesan alarm identifier, an alarm feature description, an alarm source, andthe like.

4) An alarm grouping module 103 correlates an alarm with a specifiedanalysis engine so that the specified analysis engine performscorrelation analysis for the alarm.

5) Each analysis engine 104 performs, according to a corresponding alarmanalysis rule, correlation analysis for the alarm correlated with theanalysis engine, so as to identify a root alarm and a correlative alarm.

6) The root alarm is displayed on a client, whereas the correlativealarm may be selected not to be displayed on the client.

Optionally, the alarm correlation analysis apparatus provide by theembodiment of the present invention may further include a correlationreceiving module 105, which is configured to receive a user-definedcorrespondence between the correlated alarm analysis rules and ananalysis engine. The rule grouping module 101 is specifically configuredto group, according to the received correspondence between thecorrelated alarm analysis rules and the analysis engine, the correlatedalarm analysis rules to an alarm analysis rule group corresponding tothe analysis engine.

It should be noted that a correlation of alarm analysis rules may bedefined by a user, and may also be obtained through an analysisperformed by a computer according to a large quantity of alarm analysisrules. The two manners may also coexist.

The alarm grouping module 103 and the rule grouping module 101 that areshown in the embodiment of the present invention may be implemented astwo independent modules, and may also be implemented as a groupingmodule that has two functions.

Referring to FIG. 8A, an embodiment of the present invention providesanother alarm correlation analysis apparatus 800. The apparatus 800includes: an alarm receiving module 801 configured to receive an alarmreported by a network element device, where the alarm includes an alarmidentifier that can uniquely identify the alarm; and an alarm processingmodule 802, including two or more than two analysis engines 8021, wherethe alarm processing module 802 is configured to, if the alarmidentifier of the received alarm is the same as an alarm identifier ofany alarm in any alarm group, perform, by using an analysis engine 8021corresponding to an alarm group that includes an alarm identified by thesame alarm identifier, correlation analysis for the received alarmaccording to an alarm analysis rule, where a same alarm group includescorrelated alarms, one alarm group corresponds to one analysis engine,and the correlated alarms refer to alarms generated by network elementdevices that belong to a same logical area, where the network elementdevices in the same logical area have a service correlation.

A person skilled in the art can understand that, an alarm analysis rulemay be stored in a place for various analysis engines to read; or, eachalarm analysis rule group may be separately correlated with one analysisengine after alarm analysis rules are grouped by using a method in theforegoing embodiment; or an alarm analysis rule is correlated with ananalysis engine, where the analysis engine includes at least one alarmthat has a same alarm identifier as one alarm in the alarm analysisrule.

In one implementation manner, the alarm processing module 802 isspecifically configured to: if the alarm identifier of the receivedalarm is the same as the alarm identifier of any alarm in any alarmgroup, transfer the received alarm to the analysis engine 8021corresponding to the alarm group that includes the alarm indicated bythe same alarm identifier, and perform, by using the analysis engine8021, the correlation analysis for the transferred alarm according tothe alarm analysis rule.

In another implementation manner, the alarm processing module 802 isspecifically configured to: if the alarm identifier of the receivedalarm is the same as the alarm identifier of any alarm in any alarmgroup, correlate the received alarm with the analysis engine 8021corresponding to the alarm group that includes the alarm indicated bythe same alarm identifier, and obtain, by using the analysis engine8021, the alarm according to the correlation and perform the correlationanalysis for the obtained alarm according to the alarm analysis rule.

Referring to FIG. 8B, the alarm correlation analysis apparatus 800provided by the embodiment of the present invention may further includean alarm grouping module 803 configured to allocate correlated alarms toa same alarm group.

Optionally, the logical area may be divided according to a subnet inwhich the network element is located, or may be divided according to amaintenance area divided by maintenance personnel, or may be divided inanother manner.

It can be seen that, the alarm correlation analysis apparatus providedby the embodiment of the present invention correlates alarms that belongto a same logical area with a same analysis engine, so that multipleanalysis engines implement concurrent analysis on the alarms. Themultiple analysis engines may be multiple threads or multiple processes,and may even be located on different physical machines. Therefore, alimitation of an original single core or single machine for alarmcorrelation analysis is broken through, and a resource utilization rateand alarm analysis efficiency are improved.

FIG. 9 is a schematic diagram of an application process of another alarmcorrelation analysis apparatus 200 according to an embodiment of thepresent invention. A specific process is as follows:

1) Enable a correlation analysis function, and initialize each moduleand the predefined quantity of analysis engines.

2) An alarm receiving module 201 receives alarm data reported by anetwork element device.

3) An alarm grouping module 202 obtains the alarm data from a cache, andcorrelates the alarm data with a corresponding analysis engine accordingto network element device information included in the alarm data.

4) Each analysis engine 203 performs correlation analysis for thecorrelated alarm data according to an alarm analysis rule, so as toidentify a root alarm and a correlative alarm.

5) The root alarm is displayed on a client, whereas the correlativealarm may be selected not to be displayed on the client.

Referring to FIG. 10, FIG. 10 is a schematic structural diagram of analarm correlation analysis apparatus 300 according to an embodiment ofthe present invention. As shown in FIG. 10, the apparatus includes aprocessor 301, a memory 302, and a receiver 303, and the three areconnected by using a bus 304. The processor 301 is a multi-coreprocessor, where the multi-core processor is a processor integrated withtwo or more than two complete computing engines (also called cores). Asshown in FIG. 10, the processor 301 includes n (n≧2) analysis engines,where the analysis engines are used as computing engines for alarmcorrelation analysis.

In one implementation manner:

The receiver 303 is configured to receive an alarm uploaded by a networkdevice, where the alarm includes an alarm identifier that can uniquelyidentify the alarm, and the alarm identifier may be a featuredescription, a feature indication ID, or the like, which indicates afeature of the alarm.

The memory 302 is configured to store a program, where the program isinvoked by each analysis engine in the processor 301. Further, thememory 302 may further be configured to store an alarm and/or an alarmcorrelation analysis rule.

The processor 301 is configured to invoke a program stored in the memory302 and implement the following operations: if the alarm identifier ofthe received alarm is the same as an alarm identifier of any alarm inany alarm analysis rule that is included in an alarm analysis rule groupcorresponding to any one of the analysis engines, perform, by using theanalysis engine corresponding to the alarm analysis rule group thatincludes an alarm indicated by the same alarm identifier, correlationanalysis for the received alarm according to an alarm analysis rule inthe alarm analysis rule group corresponding to the analysis engine. Asame alarm analysis rule group includes correlated alarm analysis rules;one alarm analysis rule group corresponds to one analysis engine; thealarm analysis rule is used to indicate an interrelationship betweendifferent alarms; and multiple correlated alarm analysis rules allinclude at least one alarm with a same alarm identifier.

Analysis engines 1 to n separately invoke the program stored in thememory 302 to generate n processing instances, and perform, according toan alarm analysis rule in an alarm analysis rule group corresponding toeach analysis engine, correlation analysis for alarms correlated withthe analysis engines, thereby enabling multiple analysis engines toconcurrently perform their respective alarm correlation analysisoperations.

Specifically, the memory 302 may include a private storage area that isaccessible only to one analysis engine. If an alarm analysis rule groupcorresponds to a certain analysis engine, all alarm analysis rules inthe alarm analysis rule group may be stored in a private storage areacorresponding to the analysis engine. The received alarm, if determinedto be correlated with the analysis engine, may also be stored in theprivate storage area. The private storage area is used to implementcorrelation of analysis engines with their respective alarm analysisrule groups or alarms.

Optionally, the interrelationship between the different alarms includesa root and correlative relationship between the different alarms; thecorrelated alarm analysis rules include a first alarm analysis rule anda second alarm analysis rule, and alarm identifiers are the same betweena root alarm in the first alarm analysis rule and a root alarm in thesecond alarm analysis rule, or alarm identifiers are the same between acorrelative alarm in the first alarm analysis rule and a correlativealarm in the second alarm analysis rule, or alarm identifiers are thesame between a correlative alarm in the first alarm analysis rule and aroot alarm in the second alarm analysis.

Optionally, the interrelationship between the different alarms includesa brother relationship between the different alarms, where the brotherrelationship indicates that the different alarms have a same root alarm.The correlated alarm analysis rules include a third alarm analysis ruleand a fourth alarm analysis rule, and alarm identifiers are the samebetween one alarm in the third alarm analysis rule and one alarm in thefourth alarm analysis rule.

Further, the processor 301 may further be configured to group thecorrelated alarm analysis rules to the same alarm analysis rule group.

It should be noted that, besides alarm correlation analysis, computingperformed by the processor 301 may be performed by any one or morecomputing engines that are included in the processor 301, where thecomputing engines include the analysis engines 1 to n and anothercomputing engine.

Still further, the receiver 301 may further be configured to receive auser-defined correspondence between the correlated alarm analysis rulesand the analysis engine. The processor 301 is configured to group,according to the received correspondence between the correlated alarmanalysis rules and the analysis engine, the correlated alarm analysisrules to an alarm analysis rule group corresponding to the analysisengine.

In another implementation manner:

The receiver 303 is configured to receive an alarm reported by a networkelement device, where the alarm includes an alarm identifier that canuniquely identify the alarm, and the alarm identifier may be a featuredescription, a feature indication ID, or the like, which indicates afeature of the alarm.

The processor 301 invokes the program stored in the memory 302, and isconfigured to implement the following operations: if the alarmidentifier of the received alarm is the same as an alarm identifier ofany alarm in any alarm group, perform, by using an analysis enginecorresponding to an alarm group that includes an alarm identified by asame alarm identifier, correlation analysis for the received alarmaccording to an alarm analysis rule, where a same alarm group includescorrelated alarms, one alarm group corresponds to one analysis engine,and the correlated alarms refer to alarms generated by network elementdevices that belong to a same logical area, where the network elementdevices in the same logical area have a service correlation.

Specifically, the memory 302 may include a private storage area that isaccessible only to one analysis engine and a public storage area thatare accessible to all analysis engines. An alarm analysis rule is storedin the public storage area, and alarms in an alarm group correspondingto one analysis engine are separately stored in a private storage areacorresponding to the analysis engine. Therefore, each analysis enginecan access the alarm analysis rule, and performs correlation analysisfor its alarm according to the alarm analysis rule. In anotherembodiment, the alarm analysis rule may also be separately stored in theprivate storage area corresponding to each analysis engine.

The logical area is divided according to a subnet in which the networkelement device is located, or the logical area is divided according to amaintenance area divided by maintenance personnel.

It should be noted that for another specific implementation manner ofthe alarm correlation analysis apparatus 800 provided by the embodimentof the present invention, reference may be made to the description ofthe foregoing method or apparatus embodiments, and details are notfurther described herein.

It can be seen that the alarm correlation analysis apparatus provided bythe embodiment of the present invention groups alarm analysis rulesaccording to a certain policy; each alarm analysis rule group iscorrelated with one analysis engine, and the analysis engine performs,according to an alarm analysis rule in the alarm analysis rule groupcorresponding to the analysis engine, correlation analysis for an alarmthat has a correlation with the alarm analysis rule group, or correlatesalarms that belong to a same logical area with a same analysis engine,so that multiple analysis engines implement concurrent analysis on alarge quantity of alarms, thereby fully utilizing a multi-core resource,and improving efficiency of alarm correlation analysis.

Referring to FIG. 11, FIG. 11 is a schematic diagram of a logicalstructure of a network management system 400 according to an embodimentof the present invention. The network management system 400 includes analarm correlation analysis apparatus 401 and one or more network elementdevices that have a communication connection with the alarm correlationanalysis apparatus 401, where the network element devices are configuredto report an alarm to the alarm correlation analysis apparatus when afault occurs. An alarm correlation analysis apparatus 401 may be onealarm correlation analysis apparatus in the foregoing apparatusembodiments, and for specific module division and method implementation,reference may be made to the foregoing embodiments, which are notfurther described herein.

Specifically, the alarm correlation analysis apparatus 401 may be anindependent computing device, may also be deployed in a network elementmanagement system (EMS) or a management system of another type of anetwork management system in the prior art.

It should be noted that, a communication connection between two or threein the embodiment of the present invention is not necessarily a directconnection, and there may be one or more other devices or systems inbetween; and is also not necessarily a wired or wireless connection, aslong as communication between them can be implemented.

In conclusion, in the alarm correlation analysis method, apparatus andsystem provided by the embodiments of the present invention, alarmanalysis rules are allocated to a same analysis engine according to acertain policy, and then alarms are also allocated correspondingly; oralarms are grouped to different analysis engines according to a logicalarea, so that multiple analysis engines implement concurrent analysis ona large quantity of alarms, where the multiple analysis engines may bemultiple threads, or multiple processes, or even located on differentphysical machines. Therefore, a limitation of an original single core orsingle machine for alarm correlation analysis is broken through, and aresource utilization rate and alarm analysis efficiency are improved.Grouping of the alarm analysis rules may be transparent to a user, theuser only needs to focus on definition of a rule from a serviceperspective, and the system can automatically complete rule grouping andallocation to a corresponding engine. Further, the system may furtherprovide a user interface for the user to define a correspondence betweena rule group and an engine, which enhances flexibility of the system.

Persons of ordinary skill in the art may be aware that, in combinationwith the examples described in the embodiments disclosed in thisspecification, units and algorithm steps may be implemented byelectronic hardware or a combination thereof. Whether the functions areperformed by hardware or software depends on particular applications anddesign constraint conditions of the technical solutions. A personskilled in the art may use different methods to implement the describedfunctions for each particular application, but it should not beconsidered that the implementation goes beyond the scope of the presentinvention.

In the several embodiments provided in the present application, itshould be understood that the disclosed system, apparatus, and methodmay be implemented in other manners. For example, the describedapparatus embodiment is merely exemplary. For example, the unit divisionis merely logical function division and may be other division in actualimplementation. For example, a plurality of units or components may becombined or integrated into another system, or some features may beignored or not performed. In addition, the displayed or discussed mutualcouplings or direct couplings or communication connections may beimplemented through some interfaces. The indirect couplings orcommunication connections between the apparatuses or units may beimplemented in electronic, mechanical, or other forms.

The units described as separate parts may or may not be physicallyseparate, and parts displayed as units may or may not be physical units,may be located in one position, or may be distributed on a plurality ofnetwork units. A part or all of the units may be selected according toactual needs to achieve the objectives of the solutions of theembodiments. In addition, in the accompanying drawings of the apparatusembodiments provided by the present invention, connection relationshipsbetween modules indicate that the modules have communication connectionsin between, which may be specifically implemented as one or morecommunications buses or signal cables. A person of ordinary skill in theart may understand and implement the embodiments without creativeefforts.

When the functions are implemented in a form of a software functionalunit and sold or used as an independent product, the functions may bestored in a computer-readable storage medium. Based on such anunderstanding, the technical solutions of the present inventionessentially, or the part contributing to the prior art, or a part of thetechnical solutions may be implemented in a form of a software product.The software product is stored in a storage medium, and includes severalinstructions for instructing a computer device (which may be a personalcomputer, a server, or a network device) to perform all or a part of thesteps of the methods described in the embodiments of the presentinvention. The foregoing storage medium includes: any medium that canstore program code, such as a universal serial bus (USB) flash drive, aremovable hard disk, a read-only memory (ROM), a random access memory(RAM), a magnetic disk, or an optical disc.

By means of the description of the foregoing embodiments, a personskilled in the art may clearly understand that the present invention maybe implemented by using computer software plus necessary universalhardware and by using hardware, including an integrated circuit, auniversal central processing unit (CPU), a universal memory, a universalcomponent, and the like, and certainly may also be implemented by usingdedicated hardware such as a dedicated integrated circuit, a dedicatedCPU, a dedicated memory, and a dedicated component. Generally, anyfunctions that can be performed by a computer program can be easilyimplemented by using corresponding hardware. Moreover, a specifichardware structure used to achieve a same function may be of variousforms, for example, in a form of an analog circuit, a digital circuit,or a dedicated circuit.

The foregoing descriptions are merely specific embodiments of thepresent invention, but are not intended to limit the protection scope ofthe present invention. Any variation or replacement readily figured outby a person skilled in the art within the technical scope disclosed inthe present invention shall fall within the protection scope of thepresent invention. Therefore, the protection scope of the presentinvention shall be subject to the protection scope of the claims.

What is claimed is:
 1. An alarm correlation analysis method, wherein themethod is applied in an alarm correlation analysis apparatus with two ormore analysis engines running, and the method comprises: receiving analarm reported by a network element device, wherein the alarm comprisesan alarm identifier that can uniquely identify the alarm; andperforming, by an analysis engine corresponding to the alarm analysisrule group that comprises an alarm indicated by the same alarmidentifier, correlation analysis for the received alarm according to analarm analysis rule in the alarm analysis rule group corresponding tothe analysis engine when the alarm identifier of the received alarm isthe same as an alarm identifier of any alarm in any alarm analysis rulethat is comprised in an alarm analysis rule group corresponding to anyone of the analysis engines, wherein a same alarm analysis rule groupcomprises correlated alarm analysis rules, one alarm analysis rule groupcorresponds to one analysis engine, the alarm analysis rule is used toindicate an interrelationship between different alarms, and multiplecorrelated alarm analysis rules all comprise at least an alarm with asame alarm identifier.
 2. The method according to claim 1, whereinperforming, by the analysis engine corresponding to the alarm analysisrule group that comprises the alarm indicated by the same alarmidentifier, correlation analysis for the received alarm according to thealarm analysis rule in the alarm analysis rule group corresponding tothe analysis engine comprises: transferring the received alarm to theanalysis engine corresponding to the alarm analysis rule group thatcomprises the alarm indicated by the same alarm identifier; andperforming, by the analysis engine, the correlation analysis for thetransferred alarm according to the alarm analysis rule in the alarmanalysis rule group corresponding to the analysis engine.
 3. The methodaccording to claim 1, wherein performing, by the analysis enginecorresponding to the alarm analysis rule group that comprises the alarmindicated by the same alarm identifier, correlation analysis for thereceived alarm according to the alarm analysis rule in the alarmanalysis rule group corresponding to the analysis engine comprises:correlating the received alarm with the analysis engine corresponding tothe alarm analysis rule group that comprises the alarm indicated by thesame alarm identifier; and obtaining, by using the analysis engine, thealarm according to the correlation and performing the correlationanalysis for the obtained alarm according to the alarm analysis rule inthe alarm analysis rule group corresponding to the analysis engine. 4.The method according to claim 1, wherein the interrelationship betweenthe different alarms comprises a root and correlative relationshipbetween the different alarms, and wherein the correlated alarm analysisrules comprise a first alarm analysis rule and a second alarm analysisrule, and alarm identifiers are the same between a root alarm in thefirst alarm analysis rule and a root alarm in the second alarm analysisrule, or alarm identifiers are the same between a correlative alarm inthe first alarm analysis rule and a correlative alarm in the secondalarm analysis rule, or alarm identifiers are the same between acorrelative alarm in the first alarm analysis rule and a root alarm inthe second alarm analysis rule.
 5. The method according to claim 1,wherein the interrelationship between the different alarms comprises abrother relationship between the different alarms, wherein the brotherrelationship indicates that the different alarms have a same root alarm,and wherein the correlated alarm analysis rules comprise a thirdanalysis rule and a fourth analysis rule, and alarm identifiers are thesame between one alarm in the third alarm analysis rule and one alarm inthe fourth alarm analysis rule.
 6. The method according to claim 1,wherein the method further comprises grouping the correlated alarmanalysis rules to the same alarm analysis rule group.
 7. The methodaccording to claim 6, wherein the method further comprises receiving auser-defined correspondence between the correlated alarm analysis rulesand an analysis engine, and wherein grouping the correlated alarmanalysis rules to the same alarm analysis rule group comprises grouping,according to the received correspondence between the correlated alarmanalysis rules and the analysis engine, the correlated alarm analysisrules to the alarm analysis rule group corresponding to the analysisengine.
 8. An alarm correlation analysis apparatus, comprising: an alarmreceiving module configured to receive an alarm reported by a networkelement device, wherein the alarm comprises an alarm identifier that canuniquely identify the alarm; and an alarm processing module comprisingtwo or more analysis engines, wherein the alarm processing module isconfigured to perform, by using an analysis engine corresponding to thealarm analysis rule group that comprises an alarm indicated by the samealarm identifier, correlation analysis for the received alarm accordingto an alarm analysis rule in the alarm analysis rule group correspondingto the analysis engine when the alarm identifier of the received alarmis the same as an alarm identifier of any alarm in any alarm analysisrule that is comprised in an alarm analysis rule group corresponding toany one of the analysis engines, wherein a same alarm analysis rulegroup comprises correlated alarm analysis rules, one alarm analysis rulegroup corresponds to one analysis engine, the alarm analysis rule isused to indicate an interrelationship between different alarms, andmultiple correlated alarm analysis rules all comprise at least an alarmwith a same alarm identifier.
 9. The apparatus according to claim 8,wherein the alarm processing module is specifically configured to:transfer the received alarm to the analysis engine corresponding to thealarm analysis rule group that comprises the alarm indicated by the samealarm identifier; and perform, by using the analysis engine, thecorrelation analysis for the transferred alarm according to the alarmanalysis rule in the alarm analysis rule group corresponding to theanalysis engine when the alarm identifier of the received alarm is thesame as the alarm identifier of any alarm in any alarm analysis rulethat is comprised in the alarm analysis rule group corresponding to anyone of the analysis engines.
 10. The apparatus according to claim 8,wherein the alarm processing module is specifically configured to:correlate the received alarm with the analysis engine corresponding tothe alarm analysis rule group that comprises the alarm indicated by thesame alarm identifier; and obtain, by using the analysis engine, thealarm according to the correlation and perform the correlation analysisfor the obtained alarm according to the alarm analysis rule in the alarmanalysis rule group corresponding to the analysis engine when the alarmidentifier of the received alarm is the same as the alarm identifier ofany alarm in any alarm analysis rule that is comprised in the alarmanalysis rule group corresponding to any one of the analysis engines.11. The apparatus according to claim 8, wherein the interrelationshipbetween the different alarms comprises a root and correlativerelationship between the different alarms, and wherein the correlatedalarm analysis rules comprise a first alarm analysis rule and a secondalarm analysis rule, and alarm identifiers are the same between a rootalarm in the first alarm analysis rule and a root alarm in the secondalarm analysis rule, or alarm identifiers are the same between acorrelative alarm in the first alarm analysis rule and a correlativealarm in the second alarm analysis rule, or alarm identifiers are thesame between a correlative alarm in the first alarm analysis rule and aroot alarm in the second alarm analysis rule.
 12. The apparatusaccording to claim 8, wherein the interrelationship between thedifferent alarms comprises a brother relationship between the differentalarms, wherein the brother relationship indicates that the differentalarms have a same root alarm, and wherein the correlated alarm analysisrules comprise a third analysis rule and a fourth analysis rule, andalarm identifiers are the same between one alarm in the third alarmanalysis rule and one alarm in the fourth alarm analysis rule.
 13. Theapparatus according to claim 8, wherein the apparatus further comprisesa rule grouping module configured to group the correlated alarm analysisrules to the same alarm analysis rule group.
 14. The apparatus accordingto claim 13, wherein the apparatus further comprises a correlationreceiving module configured to receive a user-defined correspondencebetween the correlated alarm analysis rules and an analysis engine, andwherein the rule grouping module is specifically configured to allocate,according to the received correspondence between the correlated alarmanalysis rules and the analysis engine, the correlated alarm analysisrules to the alarm analysis rule corresponding to the analysis engine.15. An alarm correlation analysis method, wherein the method is appliedin an alarm correlation analysis apparatus with two or more analysisengines running, and the method comprises: receiving an alarm reportedby a network element device, wherein the alarm comprises an alarmidentifier that can uniquely identify the alarm; and performing, by ananalysis engine corresponding to an alarm group that comprises an alarmidentified by the same alarm identifier, correlation analysis for thereceived alarm according to an alarm analysis rule when the alarmidentifier of the received alarm is the same as an alarm identifier ofany alarm in any alarm group, wherein a same alarm group comprisescorrelated alarms, one alarm group corresponds to one analysis engine,and the correlated alarms refer to alarms generated by network elementdevices that belong to a same logical area, wherein the network elementdevices in the same logical area have a service correlation.
 16. Themethod according to claim 15, wherein performing, by the analysis enginecorresponding to the alarm group that comprises the alarm identified bythe same alarm identifier, correlation analysis for the received alarmaccording to the alarm analysis rule comprises: transferring thereceived alarm to the analysis engine corresponding to the alarm groupthat comprises the alarm indicated by the same alarm identifier; andperforming, by using the analysis engine, the correlation analysis forthe transferred alarm according to the alarm analysis rule.
 17. Themethod according to claim 15, wherein performing, by the analysis enginecorresponding to the alarm group that comprises the alarm identified bythe same alarm identifier, correlation analysis for the received alarmaccording to the alarm analysis rule comprises: correlating the receivedalarm with the analysis engine corresponding to the alarm group thatcomprises the alarm indicated by the same alarm identifier; andobtaining, by using the analysis engine, the alarm according to thecorrelation and performing the correlation analysis for the obtainedalarm according to the alarm analysis rule.
 18. The method according toclaim 15, further comprising grouping the correlated alarms to the samealarm group.
 19. The method according to claim 15, wherein the logicalarea is divided according to a subnet in which the network elementdevice is located, or wherein the logical area is divided according to amaintenance area that is divided by maintenance personnel.
 20. An alarmcorrelation analysis apparatus, comprising: an alarm receiving moduleconfigured to receive an alarm reported by a network element device,wherein the alarm comprises an alarm identifier that can uniquelyidentify the alarm; and an alarm processing module comprising two ormore analysis engines, wherein the alarm processing module is configuredto perform, by using an analysis engine corresponding to an alarm groupthat comprises an alarm identified by the same alarm identifier,correlation analysis for the received alarm according to an alarmanalysis rule when the alarm identifier of the received alarm is thesame as an alarm identifier of any alarm in any alarm group, wherein asame alarm group comprises correlated alarms, one alarm groupcorresponds to one analysis engine, and the correlated alarms refer toalarms generated by network element devices that belong to a samelogical area, wherein the network element devices in the same logicalarea have a service correlation.
 21. The apparatus according to claim20, wherein the alarm processing module is configured to: transfer thereceived alarm to the analysis engine corresponding to the alarm groupthat comprises the alarm indicated by the same alarm identifier; andperform, by using the analysis engine, the correlation analysis for thetransferred alarm according to the alarm analysis rule when the alarmidentifier of the received alarm is the same as the alarm identifier ofany alarm in any alarm group.
 22. The apparatus according to claim 20,wherein the alarm processing module is configured to: correlate thereceived alarm with the analysis engine corresponding to the alarm groupthat comprises the alarm indicated by the same alarm identifier; andobtain, by using the analysis engine, the alarm according to thecorrelation and perform the correlation analysis for the obtained alarmaccording to the alarm analysis rule when the alarm identifier of thereceived alarm is the same as the alarm identifier of any alarm in anyalarm group.
 23. The apparatus according to claim 20, wherein theapparatus further comprises an alarm grouping module configured to groupthe correlated alarms to the same alarm group.
 24. The apparatusaccording to claim 20, wherein the logical area is divided according toa subnet in which the network element device is located, or wherein thelogical area is divided according to a maintenance area that is dividedby maintenance personnel.
 25. A network management system, comprising:an alarm correlation analysis apparatus; and at least one networkelement device that has a communication connection with the alarmcorrelation analysis apparatus, wherein the network element device isconfigured to report an alarm to the alarm correlation analysisapparatus when a fault occurs, and wherein the alarm correlationanalysis apparatus comprises: an alarm receiving module configured toreceive an alarm reported by a network element device, wherein the alarmcomprises an alarm identifier that can uniquely identify the alarm; andan alarm processing module comprising two or more analysis engines,wherein the alarm processing module is configured to perform, by usingan analysis engine corresponding to an alarm analysis rule group thatcomprises an alarm indicated by the same alarm identifier, correlationanalysis for the received alarm according to an alarm analysis rule inthe alarm analysis rule group corresponding to the analysis engine whenthe alarm identifier of the received alarm is the same as an alarmidentifier of any alarm in any alarm analysis rule that is comprised inthe alarm analysis rule group corresponding to any one of the analysisengines, wherein a same alarm analysis rule group comprises correlatedalarm analysis rules, one alarm analysis rule group corresponds to oneanalysis engine, the alarm analysis rule is used to indicate aninterrelationship between different alarms, and multiple correlatedalarm analysis rules all comprise at least an alarm with a same alarmidentifier.
 26. A network management system, comprising: an alarmcorrelation analysis apparatus; and at least one network element devicethat has a communication connection with the alarm correlation analysisapparatus, wherein the network element device is configured to report analarm to the alarm correlation analysis apparatus when a fault occurs,and wherein the alarm correlation analysis apparatus comprises: an alarmreceiving module configured to receive an alarm reported by a networkelement device, wherein the alarm comprises an alarm identifier that canuniquely identify the alarm; and an alarm processing module comprisingtwo or more analysis engines, wherein the alarm processing module isconfigured to perform, by using an analysis engine corresponding to analarm group that comprises an alarm identified by the same alarmidentifier, correlation analysis for the received alarm according to analarm analysis rule when the alarm identifier of the received alarm isthe same as an alarm identifier of any alarm in any alarm group, whereina same alarm group comprises correlated alarms, one alarm groupcorresponds to one analysis engine, and the correlated alarms refer toalarms generated by network element devices that belong to a samelogical area, wherein the network element devices in the same logicalarea have a service correlation.